A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.

A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at http://www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.

However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.

The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.

Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.

(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).

There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.

Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:

I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

Post navigation

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter: <a href="https://twitter.com/gcluley">@gcluley</a>.